[strongSwan] CHILD SA and PFS
Thomas Egerer
hakke_007 at gmx.de
Fri Aug 1 22:14:02 CEST 2014
Hi Emeric
On 08/01/2014 04:05 PM, Emeric POUPON wrote:
> Hello,
>
> I have some problems enabling PFS on the CHILD SA.
> I'm using strongswan 5.2.0 on FreeBSD.
>
> Here are the site configurations:
looks good.
However [1], the IKE_AUTH exchange responsible for
establishing the *first* CHILD_SA does not include a key exchange
(KE), whereas [2], the CREATE_CHILD_SA exchange responsible
for creating (subsequent), or rekeying children, does include
an (optional) key exchange ([KE]).
If you wait for the configured keylife of <=60 minutes, you
should see a rekeying of the CHILD_SA take place, including
the configured PFS-group.
Cheers,
Thomas
[1] http://tools.ietf.org/html/rfc5996#appendix-C.2
[2] http://tools.ietf.org/html/rfc5996#appendix-C.4
More information about the Users
mailing list